by Donna Leinwand Leger
and Yamiche Alcindor
USA TODAY, USA TODAY

by Donna Leinwand Leger
and Yamiche Alcindor
USA TODAY, USA TODAY

Paula Broadwell, ex-mistress of former CIA chief David Petraeus, could have used several methods to hide her identity if she sent anonymous, threatening e-mails to Tampa socialite Jill Kelley, experts say.

But the FBI has many techniques available to trace such communications, said Shawn Henry, who retired in March as the FBI's executive assistant director in charge of all civil and criminal cyber investigation.

"Somewhere along the way, her IP address was captured," Henry said. An IP address, or internet protocol address, is a string of numbers unique to a particular computer or device on the internet. With it, authorities can usually track the identity of the person who sent an e-mail or visited a website.

Someone trying to remain anonymous can hide e-mails by routing them through different servers and using public computers that don't keep activity logs, he said. Broadwell may have thought she had done everything to hide her tracks, but often people make mistakes, leaving their e-mails traceable by investigators, he said.

The Associated Press, citing a law enforcement source who declined to be identified, reported that Petraeus and Broadwell apparently used a "dropbox" to conceal their e-mail traffic.

Rather than transmitting e-mails to the other's inbox, they composed at least some messages and left them in a draft folder or in an electronic "drop box," the AP reported. Then the other person could log onto the same account and read the draft e-mails, avoiding the creation of an e-mail trail that might be easier to trace.

The scandal has widened, with the top U.S. commander in Afghanistan under investigation for alleged "inappropriate communications" with Kelley.

Defense Secretary Leon Panetta revealed that the Pentagon had begun an internal investigation into thousands of pages of e-mails from Gen. John Allen to Kelley. A senior Defense official described the e-mails as "flirtatious."

It's not clear whether there was an effort to hide that e-mail trail, and Allen has denied wrongdoing.

Covering up your online tracks can be time-consuming - even for high-powered men who manage secret operations, said Janet Sternberg, a communication and media studies professor at Fordham University.

"Being anonymous would take so much trouble, you wouldn't have time to do the behavior you were trying to hide," said Sternberg, who argues that almost all forms of electronic communication leave traces. "What's surprising is how much there is to discover. Look at his (Petraeus') cellphone and text messages. If he left this evidence around there is probably more evidence to discover."

With cloud services, long e-mail chains, and more storage capabilities, e-mail inboxes and drop boxes can contain thousands of pages of e-mails that users may think are gone but may simply be stored out of sight but within reach of searching authorities, experts said.

"Every circumstance is going to be a little different," Henry said. "It may have been relatively easy or difficult for FBI investigators. It depends on how hard someone tried to hide their transactions. And they can try really hard and then make a mistake."

The FBI would deploy its resources to uncover the sender of an anonymous e-mail depending on the credibility of the suspicious e-mail, the severity of the threat and the target, said Henry, who worked at the FBI for 24 years and is now president of CrowdStrike Services, a cybersecurity firm.

"You absolutely would have to look at the totality of the situation," he said. "There are a whole host of things you factor in."

Before pursuing any investigation, FBI agents would seek an opinion from a prosecutor to determine whether it's possible that laws had been broken, he said.

"We would rarely pursue an investigation without going to an independent prosecutor," he said. "These types of cases are not atypical. They happen relatively frequently."

Usually, the cases are worked with local law enforcement, Henry said.

"If the bureau decided to work it, it would indicate to me that there was more to it," Henry said. "If the target is named and it's a high-level official, that would raise people's attention. It indicates to me that there was more to this, not just a random e-mail."

How long such an investigation takes would vary with the number of leads that need to be run down and the complexity of the cybertrail, he said.

"In these types of cases, there are many complexities," Henry said. "If they discovered the director of CIA is involved you want to make sure you get all the facts because it's going to impact a lot of other people. The bureau would want to collect all of the evidence and really fully flesh this out before it went public."

In Petraeus' case, Sternberg and others believe e-mail hosts worked with authorities to access the drop box he and Broadwell used. "You can tell that Google must have given the government information about the IP address of every computer that ever accessed that inbox," Sternberg said.

Google acknowledges that it does receive requests from government agencies around the world to "provide information about users of our services and products," according to a Google policy statement posted online.

The company scrutinizes such request to make sure it complies with local laws, and "may refuse to produce information or try to narrow the request."

Of all the free webmail services, Google collects and correlates the most data from users of its free Gmail service, including IP addresses, key words in e-mail text and information from search queries and web page visits, said Caitlin Johanson, security strategist at CORE Security.

The data is primarily used to profile users of Google's online services for advertising purposes. It is technically feasible for the company to map out the successful login activities of a Gmail account holder who is using several aliases and logging in from the same network, Johanson said.

"The information is there for Google to get, but you just can't ask Google for it," Johanson said. "I believe you'd have to get a subpoena or supply enough information as to why they should give you that documentation."

Orlando Scott-Cowley, an e-mail expert who works for Mimecast, a London-based cloud e-mail management vendor, said he stresses to clients that e-mail - business and personal - comes with limited privacy.

"When we talk to businesses about how they use e-mail, we teach users that e-mail isn't secure and that you shouldn't use it to receive or send confidential information," he said.

People have been trying to find a way to communicate secretly for years but have not really achieved that goal, said Paul Hill, a senior consultant with SystemExperts, a security consulting firm.

He said drop boxes have been used for years by people trying to hide information with varying success.

His advice: "Don't cheat on your spouse, and don't leave around all the evidence because sooner or later someone is going to find it."

Of course, life isn't that simple.

For high-powered men juggling careers, frequent travelling and family responsibilities, having an affair or sending inappropriate e-mails comes down to emotions and attraction, says Sheri Meyers, who has a doctorate in psychology and works as a marriage and family therapist.

Sending secure communications and coding e-mails to make them indiscoverable took a back seat to passion.

"I blame it on humanity," she said. "There is a need for connection. Their arousal and how good contact felt overruled all reason or worry that they were going to get caught."